Https-everywhere: Audit CACert rulesets

Hi @J0WI, this is my first time contributing to open source. Would like some pointers on how to get started with this task! Could you elaborate? Thank you so much, and sorry if I'm asking for a lot of details.

Thanks for picking up this task!
First I recommend to read our CONTRIBUTING.md. We have some quality standards for rulesets.

Then you can choose any ruleset that contains platform="cacert". If the ruleset already uses our current code style, you can just update it. If not, you need to rewrite those parts to pass our automated tests.
Toofishes.net.xml seems to be an easy one to start with.

Please use a separate branch/PR for each ruleset if they are not related.

Thanks for the pointers!

I have made a very simple script on GIST to test the hosts in cacert rulesets. (since the script is so simple, I will assume there are false results). thanks.

Out of 105 cacert rulesets, I suspect that 69 of them can be enabled (after auditing, of course) for all users.

List (Audit required)

Updated: 2017.05.11

• [x] chaox.net #9966
• [x] www.fau.org #9885
• [x] ~fr33tux.org~ #10069 (pending preload https://github.com/EFForg/https-everywhere/issues/9582#issuecomment-301025922)
• [x] getpelican.com #9886
• [x] tip.net.au #9967
• [x] pcug.org.au #9967
• [x] replicant.us #9883

- [x] toofishes.net #9968

• [x] www.3dcenter.org #9787
• [x] www.c-base.org #9802
• [x] olasagasti.info #9783
• [x] orezpraw.com #9784
• [x] config.schmidtcom.de #9786
• [x] umeahackerspace.se #9785
• [x] 6xq.net #9601
• [x] allmend.ch #9716
• [x] alloscomp.com #9680
• [x] anonbox.net #9666
• [x] api.bitcoincharts.com #9606
• [x] bitcoin-contact.org #9718
• [x] mail.bluepoint.com.ph #9607
• [x] clearchain.com #9717
• [x] www.clear-code.com #9679
• [x] ccodearchive.net #9587
• [x] cypouz.com #9676
• [x] bugs.exherbo.org #9616
• [x] habets.se #9624
• [x] hackover.de #9721
• [x] hands.com #9715
• [x] casper.infradead.org #9767
• [x] lists.linux.it #9622
• [x] lists.itnog.it #9623
• [x] jolexa.net #9673
• [x] josefsson.org #9610
• [x] l0cal.com #9773
• [x] legtux.org #9719
• [x] linux-dev.org #9597
• [x] lp0.eu #9599
  
  
  
  • [x] networktimefoundation.org #9595
  
  
• [x] planet.nuug.no, nuug.no #9674
• [x] blogs.nlnetlabs.nl #9766
• [x] op-co.de #9589
• [x] openmandriva.org #9612
• [x] ~www.open-mesh.org~ #9634 (See https://hstspreload.com/api/v1/status/open-mesh.org)
  
  
  
  • [x] rbu.sh #9724
  
  
• [x] rusty.ozlabs.org #9609
• [x] parabolagnulinux.org #9596
• [x] parabola.nu #9586
• [x] www.pekwm.org #9590
• [x] pro-linux.de #9608
• [x] bugzilla.rpmfusion.org #9588
  
  
  
  • [x] honk.sigxcpu.org #9682
  
  
• [x] sipsolutions.net #9720
• [x] stalkr.net #9765
• [x] ~stuvel.eu~ #9634 (See https://hstspreload.com/api/v1/status/stuvel.eu)
• [x] svn.python.org #5109
• [x] piwik.sysmocom.de #9768
  
  
  
  • [x] tog.ie #9613
  
  
  • [x] www.ubuntu-nl.org #9585
  
  
  • [x] trent.utfs.org #9677
  
  
• [x] vinilox.eu #9600
• [x] windowmaker.org #9602
• [x] wza.us #9722
• [x] gentoo-overlays.zugaina.org #9770
• [x] envy.zenspider.com #9523

List (HSTS, CANNOT be preloaded)

Remark: Strict-Transport-Security: max-age >= 10886400; includeSubDomains

• [x] darkfasel.net #9591
• [x] init7.net #9707
• [x] kubieziel.de #9714
• [x] lists.ntp.org #9764
• [x] lpice.eu #9774

List (HSTS, CANNOT be preloaded)

Remark: Strict-Transport-Security: max-age < 10886400; includeSubDomains

• [x] fuskator.com (NSFW) #9775 #7937
• [x] randombit.net #9611

List (GONE from DNS)

Remark: For all subdomains generated by Sublist3r, based on https://dns.google.com

• [x] pentabarf.org Pentabarf.xml #9592
• [x] dvatril.cz D_Vatril.cz.xml #9593
• [x] roffey.org Roffey.org.xml #9594

• svn.python.org should be fixed in https://github.com/EFForg/https-everywhere/pull/5109
• envy.zenspider.com is fixed in https://github.com/EFForg/https-everywhere/pull/9523

@cschanaj, could you update your comment as a checkbox list to coordinate our efforts, please?

chaox.net is weird. I think it's a private server (subdomains have the name of common services : git, mumble, imap, smtp, vpn, wiki, ssh, deluge, etc.) and most subdomains redirect to a bogus page for external IPs.

What should be done in this case? This ruleset will most likely have zero use.

I have a similar question too. Some of the above sites like ip0.eu serves little to no content and most of its sub-domains simply perform redirections. I see little values of it to most of our user since ip0.eu is not even on top-1m list. Personally, I prefer a rm over update the ruleset, is there any instruction on site like this? Maybe this is related to HTTPS Everywhere coverage?

P.S. I would like to run the newly modified script after the more related PRs are merge, please do not close this immediately. thanks!

I have updated the audit list against the current master. Only 8 more ruleset require an audit according to the script I use. thanks.

fr33tux.org is soon to be preloaded.

https://hstspreload.org/?domain=fr33tux.org

I would like to note that issue can be closed once the pending PRs #9707, #9767, #7937 and #10069 are merged. Thanks.

• [x] https://www.stack.nl
• [x] https://osmocom.org
• [x] https://ccc.de
• [x] https://blog.websterwood.com

Found with:

grep -F 'target host="*.' $(grep -l 'platform="cacert"' *.xml)

List of all CACert rulesets: #11385

Looks like this is done :tada: